Standards for Network Connectivity At Montana State University

Standards for Network ConnectivityAt Montana State University

Table of Contents

Introduction

Standards for Network Connectivity at MSU- Requirements and Recommendations

A. General B. Account MaintenanceC. Computing and Networking DevicesD. Operating SystemsE. Communication ProtocolsF. Application SoftwareG. Wireless Local Area NetworksH. MSU Standards for Authentication of Network Users

Introduction

These standards supplement Montana State University’s Campus Networking Policy, http://www2.montana.edu/policy/itc/Campus_Networking_Policy.htm. The information technology department at each of the four campuses of Montana State University (MSU- Billings, Bozeman, Great Falls and Havre) has primary responsibility for the design, installation, and operation of the central telecommunications network environments on their individual campuses. At MSU-Bozeman, the term information technology department refers to the Information Technology Center (ITC). In order to achieve a robust and stable network infrastructure, the information technology department must maintain administrative control over the campus networks and the kinds of data that traverse them. The information technology department will provide well-defined, basic network connectivity to meet the general campus needs. Additionally, the information technology department will work cooperatively with departments wishing to provide their users with additional, specialized networking services to ensure that the designs of those services meet the criteria outlined in this document and can be successfully integrated into the central network. The following standards apply to all devices and networks connected to the central telecommunications networks. Although strongly recommended, these standards are not mandatory for small experimental or instructional networks that are not connected to the campuses’ central telecommunications networks.

At MSU-Bozeman, ITC recognizes the invaluable support and contribution of departmental system administrators in providing unique and secure computer services meeting the individual requirements of their departments. ITC further recognizes that the security requirements of this document may be met in ways not specified in the document. Those departmental level system administrators that develop unique and creative methods for adhering to the security requirements of this document are encouraged to do so, understanding, however, that they are responsible for the support of their implementations which must conform to the intent of this set of standards.

ITC-Tom Morrison Page 1 01/24/07

Standards for Network Connectivity Requirements and Recommendations

A. General

Required

1. The owner of each network-connected device must identify an individual or group to be

primarily responsible for the device and to ensure that the requirements of these standards are

met. At the owner’s discretion, the group may include the information technology department

staff, either contracted to support the device or hired as needed to support it. The person or

group with these responsibilities is referred to hereafter as the administrator of the device.

2. The administrator of each network-connected device must be adequately trained in the

administration of the device and its operating system. An administrator shall have training on

the administration of the device and operating system such that s/he can configure the system,

including the application of updates, security patches, etc., and perform basic trouble

shooting in the event of device problems. When a device is used for storage of sensitive

material (e.g., institutional data, student grades, social security numbers) administrative

duties must be performed exclusively by trained employees fully informed of their

responsibilities for the confidentiality and integrity of the sensitive material. It is the

responsibility of the device owner to ensure that these responsibilities are fully and

effectively communicated to the administrator and the user of the device. Computers on

which sensitive data are stored require special security considerations. These computers are to

be physically secured in such a manner that access to them is controlled, such as in a locked

office or under the user’s direct control. Guest login capability is to be disabled on Windows-

based computers. This requirement is relative to devices housing sensitive data which should

not be accessible through guest accounts.

3. Administrators of multi-user, network-connected devices, such as servers, must monitor those

devices systematically. If a device is providing critical services, its logs shall be written to a

secure disk or recorded to another machine through a serial port. The logging information

ITC-Tom Morrison Page 2 01/24/07

shall be analyzed periodically to detect unusual behavior. Ideally, scripts should be devised to

automatically notify the administrator to take action in the event of unusual behavior.

4. The information technology department or the Internal Audit office may probe periodically

the security of network-connected devices. When such a probe would be disruptive to the

device in question, the entity conducting the probe will work with the device owner to

minimize disruption. Device owners will be responsible for correcting, at their own expense,

vulnerabilities identified by these probes. False positives will be identified and dealt with at

the time of the network probes. Any disputes arising from these probes may be addressed

through the appeals process.

5. Administrators shall regularly review and archive the log files that contain information about

device activity and should keep those log files for an appropriate length of time.

6. Installation of all network wiring and installation of wireless networking infrastructure, such

as wireless access points, is the responsibility of the campus information technology

department. At MSU-Bozeman, wiring will be done in accordance with ITC Departmental

Policies and Procedures. All campus building wiring must conform to electrical and fire

codes. ITC has delegated authority from the Office of Facilities Services to perform wiring

installation in compliance with code requirements:

http://www2.montana.edu/policy/construction_activities_policy.htm Please see Section G for

clarification of wireless networking.

Recommended

7. Device administrators or members of the group responsible for administration should be

reachable 24 hours a day, seven days a week in order to respond to major security incidents.

If no administrator is available in the event of a major security incident involving the device,

and if judged necessary by the information technology department staff, the device will be

disconnected from the network until approval for its return to service is given by the

information technology department.

ITC-Tom Morrison Page 3 01/24/07

8. Secondary administrators should be identified and adequately trained to perform the

administrative functions for any operational device that is connected to the network in the

absence of the primary device administrator, e.g., evenings, weekends, vacations.

9. Login access should be blocked for an appropriate length of time after three to five

unsuccessful tries. All such attempts should be logged to a file that is owned by the device

administrator and is not readable by others.

10. Multi-user, network-connected devices should be monitored for idle users. Administrators

should notify users that remaining logged on for extended periods when not using their

computers poses a security threat to the individual’s work as well as to the network and

shared resources. Administrators are expected to be equally scrupulous in their own usage of

the devices under their control.

11. Administrators should encourage users not to leave their desktop computers unattended when

sensitive data or applications are accessible. Desktop computers should be configured with

password-protected screen savers or similar utilities.

B. Account Maintenance

Account maintenance refers to any computer or computing device account that provides access to network-connected devices and/or resources.

Required

1. Access to shared resources shall be granted only as needed as determined by the account

manager or other authorized individual.

2. Sharing of accounts and passwords intended only for an individual’s use is prohibited except

when approved in writing by the campus information technology department head.

3. Account managers must be able to ascertain the identity of all account holders, including

name, university identification number (GID), username, role (e.g., faculty, staff, student,

consultant, etc.), phone number, and office or home address. ITC is not asking the

ITC-Tom Morrison Page 4 01/24/07

administrators to maintain duplicate information when it is available in some other location

such as the Banner database.

4. When an employee’s job responsibilities or status change, including termination of

employment, that employee’s need for access to University computing resources is to be

reviewed by the employee’s management. If no longer required, computer access for the

employee is to be deactivated immediately upon notification to the account manager by the

employee’s management.

5. Passwords are among the most important components of any computer and network security

scheme. Users and administrators of network-connected devices are required to take all

reasonable measures to ensure that users adopt secure, unguessable passwords, change them

with reasonable frequency, and share them with no one.

6. Passwords are to be kept confidential. No procedure may be established in which account

owners are required to disclose their passwords to others. Sharing of passwords is a security

risk. Other administrative techniques can be implemented to assure that authorized persons,

such as departmental system administrators, have access to the data when the user is

unavailable.

7. Account managers will establish adequately secure procedures governing the reissuing of

passwords to account owners who have lost or forgotten their passwords. The account owner

shall be required to change the password again immediately to one that is known only to him

or her.

Recommended

8. When feasible, the account manager should re-certify all established accounts annually to

ensure that only valid accounts remain active. The device administrator should create

documentation to support the re-certification process.

9. Passwords should be a minimum of eight characters in length. They should incorporate at

least two non-alphabetical characters. No word appearing in any dictionary should be used

ITC-Tom Morrison Page 5 01/24/07

unless it is modified to conform to the recommendation in the preceding sentence. This

requirement is an industry standard method of developing passwords without requiring

password generation software.

10. Whenever supported by the system the device administrator should activate password aging,

with 60-180 day expiration, depending on system needs (e.g., 60 days for administrative

systems and 180 days for laboratory systems).

11. The account manager should keep a history of the last six to ten passwords used for each

account if this feature is supported by the operating system.

12. Grace logins should be limited to no more than three. (A grace login is given after a

password has expired and prior to the user changing the password.)

C. Computing and Networking Devices

Required

1. No device may be connected to the network until the default passwords for all preconfigured

accounts have been changed from the manufacturer-provided passwords to new passwords

known only to the administrator or account owner.

2. Only devices with network interfaces conforming to Ethernet standards may be connected to

the network. In most cases approval of the interfaces will be part of the purchasing process

through the ITC store. The information technology department may elect to revoke approval

of any devices that prove to adversely affect the operation of the network.

3. Except by formal agreement between the information technology department and the device

owner or the departmental system administrator; routers, bridges, switches, wireless access

points, and other network electronics connected to the campus network are to be installed,

maintained, and monitored exclusively by the information technology department, regardless

of who has purchased the device.

Equipment of the type described above can be disruptive or dangerous to the network if

improperly installed or configured. The information technology department needs to know

ITC-Tom Morrison Page 6 01/24/07

about plans for connecting such equipment before it is attached to our network in order to

avoid unwanted networking problems. Exception to this requirement may be provided for by

formal agreement.

4. To facilitate the maintenance of an inventory of all network-connected computers and

network electronics in use on the campus network, users of the network are required to

provide the information technology department with all needed information about network-

connected devices under the users’ control. This information may be provided by completion

of the IP Request Form: http://www.montana.edu/wwwsy/Resources/ip_request.htm.

5. All production servers and all network electronics are to be placed in limited access rooms

such as mechanical rooms, locked telecommunications rooms, locked cabinets or other

secured area. The information technology department and/or the Office of Facilities Services

department are to control the keys to all such locations housing switches, routers, or other

central networking equipment.

6. Fault tolerance, such as disk mirroring, server duplexing, or RAID is required for servers that

store critical institutional data. Additional fault tolerance requirements for research data may

be specified in funding agency contracts.

Recommended

7. The information technology department may request owners of all network-connected

devices to create accounts on those systems for the information technology department to use

for emergency system administration purposes. Compliance will be optional but is highly

recommended.

8. All new network interface devices (e.g., switches, routers, wireless access points, etc.) should

support Simple Network Management Protocol (SNMP) over TCP/IP. SNMP-capable

devices are preferable to others even when more expensive.

9. Fault tolerance, such as disk mirroring, server duplexing, or RAID should be implemented for

all servers that supply essential services.

ITC-Tom Morrison Page 7 01/24/07

D. Operating Systems

Required

1. Administrators of network-connected computer systems are required to configure and

maintain the operating systems of those computers in such a way as to prevent unauthorized

access and usage.

2. Administrators of network-connected computer systems are required to install all applicable

operating system and utility security patches as soon as possible after the patches are

released. Whenever possible, patches should be tested offline to ensure that they are effective

and benign.

3. All susceptible network-connected devices must be protected against computer viruses,

Trojan horses, worms, and denial of service attacks either through the information technology

department-approved protective mechanisms inherent to the operating system or by the

addition of third-party software (e.g., anti-virus software, firewall software, etc.). Upon sale

of new equipment ITC either will install or offer for sale, such countermeasure software. In

all cases ITC will inform the buyer of recommended programs and procedures.

4. Network-attached computers will utilize operating systems which are actively maintained and

for which patches for new vulnerabilities are released in a timely manner.

Recommended

5. Administrators of multi-user, network-connected computers should keep those computers'

operating systems at the latest available revision levels.

6. Administrators of single-user, network-connected workstations and PCs should keep their

computers' operating systems at the latest practical revision levels.

E. Communication Protocols

Required

1. The MSU campuses’ telecommunications networks are based on the Internet Protocol (IP).

No other protocols may be used for network transmissions without the knowledge and

ITC-Tom Morrison Page 8 01/24/07

express permission of the campus information technology department. An example of a non-

IP based protocol on the network is the use of Appletalk for local area networking.

Transmission of other protocols may cause networking problems. The information

technology department wishes to be informed in advance.

2. Enterprise services, which include domain name service (DNS), e-mail, routing, WINS

services, firewalls, e-mail relay services, and Novell Directory Services (NDS) may be run

only by or in cooperation with the information technology department.

Recommended

3. All unneeded protocols should be disabled on network devices such as printers and

computers or the devices should be configured such that they refuse attempted

communications using those protocols.

F. Application Software

Required

1. Unauthorized use of packet sniffer software such as Ethereal or any other software that may

be used for interception of network communications is forbidden on the MSU

telecommunications networks unless expressly authorized in writing by the information

technology department. This does not include the use of intrusion detection software such as

Snort, vulnerability assessment tools such as Nessus, or network traffic analysis software

used within a system administrator’s area of responsibility.

2. On Web servers, the CGI-bin directory and Web scripting are vulnerable and shall be

disabled if not needed.

3. Administrators of multi-user, network-connected computers must keep those computers'

application software (e.g., Telnet, FTP, HTTP clients and servers) at a secure revision level.

Recommended

4. Administrators of single-user, network-connected workstations and PCs should keep their

computers' network-based application software at the latest practical revision levels.

ITC-Tom Morrison Page 9 01/24/07

5. Web (HTTP) services should not be installed on network-connected computers unless they

are needed. If Web services must be run, the information technology department

recommends use of a well-supported product (e.g., Apache, Internet Information Server, etc.)

with only needed services enabled.

6. Whenever possible, source code and compilers should not be kept on servers.

7. When it is necessary to run a compiler, it should not be placed on a server used for e-mail,

FTP, Telnet, or Web-based functions; a development or non-production server should be

used.

8. When possible, major applications should be placed on separate servers, e.g., mail on its own

server, Web sites on a separate server, etc.

G. Wireless Local Area Networks

The information technology department will maintain control of the radio frequency spectrum that FCC Part 15 wireless devices utilize as their base transport to achieve a robust and stable wireless infrastructure and prevent unintended interference to FCC licensed and unlicensed services. Part 15 wireless devices include, but are not limited to wireless LAN devices, cordless telephones, wirelessly connected or controlled video cameras, and wireless speakers.

Required

1. The information technology department, faculty, staff, students, and contractors who wish to

purchase, install, and use any FCC Part 15 wireless device connected to the university

network are required to coordinate those activities with the campus information technology

department. When a non-network device is required for a specific teaching or research

application, the information technology department will work with the owner to help ensure

that use of the device may be accommodated without causing interference to the wireless

network community.

2. The information technology department will seek out the user of a specific device if it

causing harmful interference to the campus wireless network or other FCC-licensed services.

In these cases, the information technology department reserves the right to restrict the use of

ITC-Tom Morrison Page 10 01/24/07

any FCC Part 15 device in any university-occupied building and in outdoor spaces on the

Montana State University campuses.

3. All FCC Part 15 wireless access points must allow access only to those user devices

authorized by an appropriate information technology department authentication server (e.g.,

wireless gateway, radius server, etc.) or through implementation of MAC address registration

on the wireless access points.

4. The information technology department will support the use of only designated remotely

manageable FCC Part 15 wireless access points such as Aruba Networks. If a department

decides to purchase other types of wireless access points, ITC shall assist with device

configuration. Installation supervision and problem resolution will be billed at ITC’s labor

rate.

5. All wireless systems deployed at MSU-Bozeman must comply with the Telecommunications

Antenna/Tower Sitting Policy. http://www2.montana.edu/policy/antenna_policy

6. Wireless local area network equipment installed at MSU and connected to the campus

network must support data encryption techniques as outlined in the 802.11x standards or must

support other available techniques such as, VPN, 3DES, etc.

Recommended

7. Encryption of sensitive data on wireless networks is recommended.

H. MSU Standards for Authentication of Network Users                       

The university has an obligation to assist in federal, state, local, and campus law enforcement investigations of alleged computer-based violations of the law. As such, we may be required to identify computer users involved in suspected illegal activities. In order to facilitate compliance with these requests and to ensure the security of MSU data, the identities of users of the data communications network, at any given point in time, must be ascertainable.

Required

1. All users of network-connected computers must authenticate to the network or authentication

device in such a manner (e.g., Kerberos, LDAP, Windows domain login, etc.) that the use of

any computer can be traced to the user. Patron users of public access computers located in the

ITC-Tom Morrison Page 11 01/24/07

Library buildings are not required to authenticate if their access is restricted such that it does

not create security problems and is restricted to patron accessible services that the Library has

determined are appropriate for patron access. Other devices, such as laboratory instruments

and printers which do not support authentication are also excluded from this requirement.

2. All Dynamic Host Controlled Protocol (DHCP) servers connected to the MSU data

communication networks must be configured in such a manner that the servers log the MAC

address of each user’s machine and the IP address assigned to it, as well as the assignment

and release times of the IP address. Upon request, records pertaining to the ownership of the

MAC and IP addresses must be made available to authorized university or law enforcement

personnel by the DHCP server administrator. It is not the information technology

department’s intent to define the duration for which logs are kept. This should be a

departmental decision. (ITC retains its log via tape backups for eight weeks.) It is not ITC’s

intent to limit the use of DHCP servers on campus. ITC uses them in conjunction with the

wireless system and the Library. ITC only hopes to be able to identify unauthorized users of

the campus network when requested to do so by the appropriate authority.

ITC-Tom Morrison Page 12 01/24/07